Big Ransomware Outbreak Today - Be Vigilant

Pusher of Buttons said:
I've basically told my users don't open or look at anything off the domain...going with the "Have a pint at the Winchester and wait for this all to blow over" approach.
Click to expand...

My work is seriously considering quarantining externally sent files by the policy on the email server for a few hours.
 
naib said:
The real question is... how long did MS know about this? Sure they patched the flaw once the vault was made public BUT did they know about it for years but kept it open for the NSA?

if MS left it unsecure they need to be punished,
Click to expand...

Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.
Click to expand...

https://securelist.com/blog/inciden...sed-in-widespread-attacks-all-over-the-world/

I don't have any idea how long Microsoft knew about this flaw but they released the patch a month BEFORE the leak of flaw on the internet. The patch may have been ready to go in February but Microsoft canceled that months patches.
 
Pusher of Buttons said:
Any word on if this is just coming via e-mail or if internet drive-by is also on the list?
Click to expand...
Unless you have the smb ports open to the wild... I doubt it
The ransomware WanaCrypt0r 2.0 as local network capabilities means that only having one computer exposed to this ransomware, it could potentially infect with the ransomware all the others computers in the same network, the warm uses the vulnerabilities that were released by the Shadow Brokers that leaked NSA tools.
Click to expand...
So far it seems someone on the LAN opens an emails (word attachment?) that kicks it all off, for that network
 
This is looking really bad. My main PC at home with Windows 10 is patched and I'm fairly certain my work PC is patched as well. I've been sick this week so I haven't been at work. Is it possible for a PC to get ransomware while in sleep mode?
 
I am bringing my network down at 4PM today. We had a ransomware outbreak last month....we have clean backups and were able to restore all affected machines. I am not taking any chances this go around.
 
Snowdog said:
It is. But lazy IT departments, haven't picked up the patches yet.
Click to expand...
Lazy and/or cautious. Patches need testing. The company I work for had to change its patching philosopy now MS bundles patches for Win7. Before hand they would pick, test, deploy. Now they have to patch... then if it looks ok they push out to "ring2" and every now and again something breaks (last set I had caused issues with Excel...) THEN finally everyone... I got a new batch today which I believe was the march set. Which means there are at least 200,000 others where I work without it...
 
I know ive run windows updates up through April, the only ones are the current may ones that we do not have patched. Hopefully that helps us some. We sent out an email reminding people to actually look before they click(probably wont help)
 
GameLifter said:
Is it possible for a PC to get ransomware while in sleep mode?
Click to expand...

Not while in sleep unless something woke it up remotely. Hopefully your work would have these ports blocked externally. But it is possible to get this through email. We're pretty good at blocking this at work but I did see one get through this week. Not sure if it's this attack but we do see emails that are saying they are from our internal IT, it mentions the company by name and says to click this link for a "security update". Right. They are easy to spot as they are missing some of the elements those kinds of emails have when they are security related. Plus we don't ask users to do security updates, those are all pushed.
 
naib said:
Lazy and/or cautious. Patches need testing. The company I work for had to change its patching philosopy now MS bundles patches for Win7. Before hand they would pick, test, deploy. Now they have to patch... then if it looks ok they push out to "ring2" and every now and again something breaks (last set I had caused issues with Excel...) THEN finally everyone... I got a new batch today which I believe was the march set. Which means there are at least 200,000 others where I work without it...
Click to expand...

But even without this patch, SMB ports should be blocked externally.
 
The fact that Microsoft already patched this vulnerability makes me facepalm.

IT departments are fond of saying that they have to validate all new updates just in case they break anything. Maybe this policy should be reconsidered, and - at least for security updates - they should be patched as soon as they go live without any delay for testing.

Sure, having an update break something can be a pain, and can cost you money, but having all your data held for ransom, or stolen is way worse.
 
Zarathustra[H] said:
The fact that Microsoft already patched this vulnerability makes me facepalm.

IT departments are fond of saying that they have to validate all new updates just in case they break anything. Maybe this policy should be reconsidered, and - at least for security updates - they should be patched as soon as they go live without any delay for testing.

Sure, having an update break something can be a pain, and can cost you money, but having all your data held for ransom, or stolen is way worse.
Click to expand...

Yeah, anything involving a remote execution flaw, just do it. And again, why are these ports open to the internet? That's Cybersecurity 101 stuff.
 
luke51087 said:
I know ive run windows updates up through April, the only ones are the current may ones that we do not have patched. Hopefully that helps us some. We sent out an email reminding people to actually look before they click(probably wont help)
Click to expand...

That's what I did. Most of our machines should be patched but for the stragglers I still sent out an message saying don't do anything stupid.
 
Zarathustra[H] said:
The fact that Microsoft already patched this vulnerability makes me facepalm.

IT departments are fond of saying that they have to validate all new updates just in case they break anything. Maybe this policy should be reconsidered, and - at least for security updates - they should be patched as soon as they go live without any delay for testing.

Sure, having an update break something can be a pain, and can cost you money, but having all your data held for ransom, or stolen is way worse.
Click to expand...

For Critical security updates I would agree.
 
naib said:
yup, but if some nub of an employee opens an attachment to get it within the network...
Click to expand...

True, but the main vector for this one appears to the SMBv2 flaw. Even on an unpatched system this shouldn't have gotten through a properly configured network.
 
Zarathustra[H] said:
The fact that Microsoft already patched this vulnerability makes me facepalm.

IT departments are fond of saying that they have to validate all new updates just in case they break anything. Maybe this policy should be reconsidered, and - at least for security updates - they should be patched as soon as they go live without any delay for testing.

Sure, having an update break something can be a pain, and can cost you money, but having all your data held for ransom, or stolen is way worse.
Click to expand...


http://windowsitpro.com/patch-tuesday/patch-tuesday-kb3023607-breaks-cisco-anyconnect-heres-fix

Patch Tuesday: KB3023607 Breaks Cisco AnyConnect, Here's a Fix (2015)...

And there have been more recent examples


 
heatlesssun said:
True, but the main vector for this one appears to the SMBv2 flaw. Even on an unpatched system this shouldn't have gotten through a properly configured network.
Click to expand...
And equally correctly updated virus definitions... As of 17:15 28 of the major 61 global AV companies have a signature to detect and remove WCry2.0
https://www.virustotal.com/en-gb/fi...f1071661840480439c6e5babe8e080e41aa/analysis/

IT dept need to improve, GLOBALLY & this is a case point, but equally the patching of such flaws...

MORE importantly such flaws should not exist. The work I do is subject to ARP4574 and DO178,254. Windows would NEVER pass such a process & that is why I consider it and MS a joke
 
http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html He said it's likely the ransomware will spread to U.S. firms too. The ransomware is automatically scanning for computers it can infect whenever it loads itself onto a new machine. It can infect other computers on the same wireless network.
"It has a 'hunter' module, which seeks out PCs on internal networks," Beaumont said. "So, for example, if your laptop is infected and you went to a coffee shop, it would spread to PCs at the coffee shop. From there, to other companies."
It's a worm
 
Said it once and I'll say it again: if the person or persons responsible for creating these kinds of tools and distributing them are ever found, a bullet in the skull cavity is OK with me, I'll even pay for the ammunition.
 
guavaball said:
http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html He said it's likely the ransomware will spread to U.S. firms too. The ransomware is automatically scanning for computers it can infect whenever it loads itself onto a new machine. It can infect other computers on the same wireless network.
"It has a 'hunter' module, which seeks out PCs on internal networks," Beaumont said. "So, for example, if your laptop is infected and you went to a coffee shop, it would spread to PCs at the coffee shop. From there, to other companies."
It's a worm
Click to expand...

Yeah, I just don't use public WiFi anymore. My phone tethered tends to be faster anyway.
 
Tiberian said:
Said it once and I'll say it again: if the person or persons responsible for creating these kinds of tools and distributing them are ever found, a bullet in the skull cavity is OK with me, I'll even pay for the ammunition.
Click to expand...
Considering how much the russian gov'n has been affected... I am almost certain this will happen
 
why the hell does this have to happen today when i actually have a day off.. i could of possibly gotten paid to do nothing since our computer systems are tied to fedex's systems.. son of a bitch!


cyclone3d said:
So much for packages getting to their destinations on time....
Click to expand...

they'll still get there, but most of the fedex flights have been delayed by 2 or more hours due to this shit.. i think internal fedex should be fine but USPS to fedex to USPS might be fucked but i won't know for another 5 hours when my co-workers start showing up to work.. i'll try to find out more from them on whether they're being effected by it.

edit:
forgot to update my post, checked with my co-workers, today we only received 18k pounds of mail through fedex, the 3 month average for fridays is 49k pounds.. fedex doesn't want to say that the ransomware effected how much our hub received but pretty sure it was the reason since they start loading our air transport containers in memphis right around when the ransomware attack initially hit them.

we'll see what happens for saturday delivery.
 
Last edited:
Tiberian said:
Said it once and I'll say it again: if the person or persons responsible for creating these kinds of tools and distributing them are ever found, a bullet in the skull cavity is OK with me, I'll even pay for the ammunition.
Click to expand...
Agreed. I absolutely think damage and disruption on this scale is deserving of the death penalty.
 
Zarathustra[H] said:
The fact that Microsoft already patched this vulnerability makes me facepalm.

IT departments are fond of saying that they have to validate all new updates just in case they break anything. Maybe this policy should be reconsidered, and - at least for security updates - they should be patched as soon as they go live without any delay for testing.

Sure, having an update break something can be a pain, and can cost you money, but having all your data held for ransom, or stolen is way worse.
Click to expand...

What I'd like to know is exactly how long IT departments plan on withholding these updates. I mean, it's been 2 months since this exploit was patched. And it's not like some of these companies (ala FedEx, Russian Interior, NHS) are small scale operations who don't have the budget to be able to test these things and roll them out quickly if safe. And if unsafe, this particular exploit can still be foiled by turning off smbv1 and smbv2 which can be done via Group Policy.

BUT. That said. The only thing that the vulnerability could be used for was infecting other systems on the same network once a seed system was infected. And how have those seed systems been infected? How else? By some luddite opening an email attachment or clicking a link that they shouldn't be. So at the end of the day, the real security threat isn't exploits, it isn't Windows, it isn't ShadowBrokers or the NSA. It's people. Average, uneducated computer using people. Of course, that point will be glossed over because the narrative going forward will be how evil the SB group is and how we need to immediately start punishing anyone who leaks out information like this.
 
U-238 said:
What I'd like to know is exactly how long IT departments plan on withholding these updates. I mean, it's been 2 months since this exploit was patched. And it's not like some of these companies (ala FedEx, Russian Interior, NHS) are small scale operations who don't have the budget to be able to test these things and roll them out quickly if safe. And if unsafe, this particular exploit can still be foiled by turning off smbv1 and smbv2 which can be done via Group Policy.

BUT. That said. The only thing that the vulnerability could be used for was infecting other systems on the same network once a seed system was infected. And how have those seed systems been infected? How else? By some luddite opening an email attachment or clicking a link that they shouldn't be. So at the end of the day, the real security threat isn't exploits, it isn't Windows, it isn't ShadowBrokers or the NSA. It's people. Average, uneducated computer using people. Of course, that point will be glossed over because the narrative going forward will be how evil the SB group is and how we need to immediately start punishing anyone who leaks out information like this.
Click to expand...
The NHS has no money...
 
guavaball said:
http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html He said it's likely the ransomware will spread to U.S. firms too. The ransomware is automatically scanning for computers it can infect whenever it loads itself onto a new machine. It can infect other computers on the same wireless network.
"It has a 'hunter' module, which seeks out PCs on internal networks," Beaumont said. "So, for example, if your laptop is infected and you went to a coffee shop, it would spread to PCs at the coffee shop. From there, to other companies."
It's a worm
Click to expand...

Close the SMB ports on your firewall and all will be fine.
 
Doward said:
Oh, man, I better patch my home network!

I learned a long time ago, I don't trust any critical system to Microsoft.
Click to expand...

It's not really Microsoft's fault. If there was money to be made in attacking Raspbian I'm sure they'd also get attacked.

That said, I too wouldn't give a shit if my rig was compromised, it has no purpose outside of gaming and light web browsing.
 
Smashing Young Man said:
Agreed. I absolutely think damage and disruption on this scale is deserving of the death penalty.
Click to expand...

Since the gov't wrote the original, what's their punishment?

Oh that's right, our f'ing gov't is never held accountable. Silly me.

I wonder if companies like FedEx can sue in court for damages for the government being careless with dangerous tools that caused irreparable harm to their business.
 
naib said:
http://windowsitpro.com/patch-tuesday/patch-tuesday-kb3023607-breaks-cisco-anyconnect-heres-fix

Patch Tuesday: KB3023607 Breaks Cisco AnyConnect, Here's a Fix (2015)...

And there have been more recent examples
Click to expand...

No one's arguing that Microsoft's patches don't occasionally screw something up. At least I'm not.

The argument is that it is probably better to take the risk of having something occasionally screwed up, and having to rush around and fix it, rather than exposing your organization to data theft or encryption ransomware.
 
Last edited:
It's times like this I want to sit back, kick up my feet and go "Stupid arrogant F's. Told ya so."

Then cry when they learn nothing.
 
You must log in or register to reply here.
Back
Top